Featured DOL Issues Cybersecurity Guidelines And Begins Audits - Employment and HR

Published on November 24th, 2021 📆 | 7871 Views ⚑

0

DOL Issues Cybersecurity Guidelines And Begins Audits – Employment and HR

United States:

DOL Issues Cybersecurity Guidelines And Begins Audits

To print this article, all you need is to be registered or login on Mondaq.com.

To address growing cybersecurity risks to plan participants and
their retirement assets, the Department of Labor (DOL) issued a set
of guidance for retirement plan sponsors and fiduciaries, their
service providers, and plan participants aimed at mitigating
cybersecurity risks. The DOL has also begun examining plans’
cybersecurity programs. Its information requests, which are very
detailed and encompassing, signal that the guidelines are not
optional and that the DOL is serious about enforcing them. The
below is a summary of the DOL’s guidance and items it has
signaled will be reviewed in a cybersecurity audit.

DOL Guidance

The DOL released its guidance on April 14, 2021 in three pieces.
The first piece, “Tips for Hiring a Service Provider,” is
aimed at assisting plan sponsors and fiduciaries in choosing
service providers with robust cybersecurity practices. The initial
guidance makes clear that the DOL considers the management of
cybersecurity risk – including the scrutinizing of service
providers’ cybersecurity policies and practices – to be
part of a fiduciary’s duties. The tips include:

  • Making sure that contracts with service providers require their
    ongoing compliance with cybersecurity and information security
    standards, and being wary of provisions that limit the service
    provider’s responsibility for IT security breaches;
  • Looking for contract provisions that give plan sponsors and
    fiduciaries the right to review the service provider’s audit
    results demonstrating compliance with industry security
    standards;
  • Examining the service provider’s track record in the
    industry, including public information regarding information
    security incidents;
  • Inquiring as to any past security breaches, how they came
    about, and how the service provider responded; and
  • Finding out whether the service provider has any insurance
    policies that would cover losses caused by cybersecurity and
    identity theft breaches, whether internal or external.

The second piece of guidance, “Cybersecurity Program Best
Practices,” advises plan fiduciaries and record-keepers on
their responsibilities to manage cybersecurity risks. These
include:

  • Conducting prudent annual risk assessments;
  • Conducting periodic cybersecurity awareness training for
    employees;
  • Having an effective business resiliency program addressing
    business continuity, disaster recovery, and incident response in
    the event of disruption due to a security incident; and
  • Encrypting sensitive data, both stored and in transit.

Plan sponsors may also wish to engage information technology
assistance to the extent it would help them meet these
requirements.

The third piece of guidance, “Online Security Tips,”
is directed at plan participants and beneficiaries who check or
manage their retirement accounts online and includes such tips
as:

  • Using strong and unique passwords;
  • Using multi-factor authentication;
  • Recognizing phishing attacks; and
  • Using antivirus software.

Note that although this third set of guidance is geared toward
participants and beneficiaries, employers and plan sponsors would
also be well-served to engage an administrator that tries to
enhance cybersecurity awareness on the participants’ side (for
example, by informing and/or reminding participants to take the
above actions).

Audit Initiative

The type of documentation that the DOL has requested as part of
its recent audits is quite comprehensive, including basically all
information and documentation that an organization has relating to
its information security systems. A few examples of such requests
include:

  • All policies, procedures, or guidelines relating to:
    • Data governance, classification, and disposal
    • The implementation of access controls and identity management,
      including any use of multi-factor authentication
    • The processes for business continuity, disaster recovery, and
      incident response
    • The assessment of security risks
    • Data privacy
    • Management of vendors and third party service providers,
      including notification protocols for cybersecurity events and the
      use of data for any purpose other than the direct performance of
      their duties
    • Cybersecurity awareness training
    • Encryption to protect all sensitive information transmitted,
      stored, or in transit.
  • All documents and communications relating to any past
    cybersecurity incidents.
  • All documents and communications from service providers
    regarding policies and procedures for collecting, storing,
    archiving, deleting, anonymizing, warehousing, and sharing
    data.
  • All documents and communications describing the permitted uses
    of data by the sponsor of the plan or by any service providers of
    the plan, including, but not limited to, all uses of data for the
    direct or indirect purpose of cross-selling or marketing products
    and services.

What this Means for Plan Sponsors and Fiduciaries

In light of the DOL’s apparent focus on protecting plan
participants from cybersecurity threats, plan sponsors and
fiduciaries should consider how much of the above documentation
they can provide in the event of an audit. Where there are
identified weaknesses in their cybersecurity programs, they should
act to address them to bring them in line with the DOL guidance
prior to being audited.

Furthermore, plan sponsors and fiduciaries should look into the
cybersecurity practices of their service providers and, where
necessary, implement the recommendations in the DOL guidance
pertaining to their contracts with their service providers. For
example, they should ensure that the contracts include provisions
requiring the service provider to obtain annual third-party audits
to determine compliance with information security policies and
procedures, to provide notification within a specified timeframe in
the event of any cyber incident or data breach, to cooperate to
investigate and address the cause of the breach, and to obtain some
form of cyber liability insurance coverage.

Employers might also consider reminding their employees of the
importance of protecting their retirement plan accounts using the
guidance in the DOL’s “Online Security Tips.”

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Employment and HR from United States

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *